Back to binalyze.com

Registry Items

This page provides more detail about what is collected in a Windows 'Registry Items' acquisition profile.

What It Collects

The Registry Items evidence type collects persistence-related artefacts from the Windows Registry. This is a targeted acquisition, not a full registry dump. It focuses only on registry keys and values that are commonly used by malware — and occasionally by legitimate software — to maintain persistence on a system.

Specific Keys Collected

The collector examines over a thousand registry locations. These fall into six main categories:

1. Startup and Run Keys

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

  • HKU\S-1-5-*\Software\Microsoft\Windows\CurrentVersion\Run

  • HKU\S-1-5-*\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • Terminal Server startup locations

  • Policy-based Run keys

2. Winlogon Persistence

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon (values such as Shell, Userinit, Taskman)

  • HKU\S-1-5-*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

3. Shell Extensions and Context Menus

  • Context menu handlers for files, folders, and drives

  • Property sheet handlers

  • Drag-and-drop handlers

  • Shell icon overlay identifiers

  • Browser Helper Objects (BHOs)

4. System-Level Persistence

  • SYSTEM\CurrentControlSet\Control\Session Manager (values such as BootExecute and Execute)

  • LSA authentication and notification packages

  • Security providers

  • Print monitors

  • Image File Execution Options (IFEO) – debugger hijacking

5. Browser and Application Extensions

  • Internet Explorer toolbars and extensions

  • Mozilla plugins

  • Active Setup components

6. Services and Drivers

  • Service-related registry locations

  • Driver loading mechanisms

Why This Evidence Is Valuable

  • Malware detection – Most persistent malware leverages these registry locations.

  • Incident response – Rapid identification of unauthorized or suspicious startup programs.

  • Forensic analysis – Reconstruct what executables and components were configured to launch automatically.

  • Compliance and validation – Verify that only approved software is using persistence mechanisms.

PreviousRegistry HivesNextRegistry Persistence

Last updated

Was this helpful?